VDB
GCVE-110-OSM-2026-1238
GCVE-110-OSM-2026-1238
Advisory PublishedCVSS 9.6/10
On require(), lib/initializeCaller.js fetches and executes arbitrary Node.js from https://api.npoint.io/2cc8f9fa09a141aafc03 (5/95 VT detections) via new Function.constructor('require', payload)(require). The stage-2 payload was decoded via synchrony deobfuscator (SHA256 of extracted JS: fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838; not yet in VT — first discovery) and is a cross-platform RAT and infostealer: steals saved passwords and crypto wallet data from 13 Chromium-based browsers; exfiltrates .env files and the full home directory to http://144.172.110.132:8086/upload (Vultr VPS); establishes a socket.io reverse shell at ws://144.172.110.132:8087 with 1-second clipboard monitoring. Part of the hello@jsonspack.com campaign.
lib/initializeCaller.js IIFE base64-decodes https://api.npoint.io/2cc8f9fa09a141aafc03, GETs response.data.cookie with x-secret-key:_, executes via new Function.constructor('require', payload)(require). Payload decoded via synchrony deobfuscator. Hash correction: 00a32991fb03bef7ed76498e43be6b43b486bf0ae361e4553145ed9b13099278 was SHA256 of the raw JSON HTTP response body ({"cookie":"<JS>"}); correct extracted-JS hash is fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838 — not found in VT, first discovery. Payload spawns three concurrent background scripts: (1) ldbScript — steals saved passwords from 13 Chromium-based browsers (Chrome, Brave, Edge, Opera, Vivaldi, Yandex, Chromium, etc.) via AES-GCM+PBKDF2 (macOS/Linux) and DPAPI (Windows); collects Local Extension Settings for 40 crypto wallet browser extensions (MetaMask, Phantom, etc.); reads macOS login.keychain-db; uploads to http://144.172.110.132:8086/upload. (2) autoUploadScript — crawls Documents/Desktop/Downloads then full home directory (macOS/Linux) or all drives (Windows); targets .env* files across the entire filesystem; uploads all files ≤10MB. (3) socketScript — socket.io client to ws://144.172.110.132:8087; full remote shell execution, directory listing, file download, 1-second clipboard polling via pbpaste (macOS). Operator constants: u_k=301, t=3, HMAC secret SuperStr0ngSecret@)@^. C2 infrastructure: 144.172.110.132 is a Vultr VPS with Plesk panel (default hostname: gifted-rhodes.144-172-110-132.plesk.page); 0/94 VT detections on IP — freshly deployed infrastructure.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-encrypted | 2.0.6 (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.